Content

Information Security Policy

Purpose

This document provides an overview of LightForce Orthodontics IT Security Policies for training and reference purposes.

Scope

This document covers general IT Policies related to Physical, Digital locations and information and does not represent a comprehensive view of all policies related to security, Information Technology, or Personnel.

Information Security Objectives

To protect all LightForce IT resources and information from potential loss, theft, breach or security incident.

Body

Acceptable usage policy

Individuals covered by this policy must:

  • Use resources only for authorized purposes.
  • Protect their User IDs, digital / electronic signatures, other authentication and authorization mechanisms, and systems, from unauthorized use. Each individual is responsible for all access to LightForce information resources and technology by their User IDs, digital/electronic signatures, and other authentication and authorization mechanisms, and for any activity originating from their systems.
  • Access only information to which they have been given authorized access or that is publicly available.
  • Use only legal versions of copyrighted software in compliance with vendor license requirements.
  • Be considerate in the use of shared resources. Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connection time, disk space, printer paper, manuals, or other resources.
  • Restrict personal use of LightForce information resources and technology to incidental, intermittent and minor use that is consistent with applicable law and LightForce Policy.
  • Include only material germane to LightForce matters in electronic communications, such as e-mail, Websites, blogs, etc. ** Personal web sites, chat rooms, web logs (also known as blogs) and other forms of publicly available electronic communications hosted on or linked from LightForce information resources and technology must comply with this Acceptable Use Policy and prominently include the following disclaimer: “The views, opinions and material expressed here are those of the author and have not been reviewed or approved by the LightForce Orthodontics, Inc.”
  • Store confidential data only in LightForce approved secured locations.
  • Transmit / transport confidential data, information, and information assets only via LightForce approved secured mechanisms.
  • Use Bring Your Own Device (BYOD) in only LightForce approved means.
  • Revise passwords and other authentication and authorization mechanisms suspected of compromise.
  • Report identified or suspected security incidents to the Information Technology Department.

Individuals covered by this policy must not:

  • Gain access to or use another person’s system, files, or data without permission (note that permission from an individual user may not be sufficient – some systems may require additional authority).
  • Reveal a password or other authentication and authorization means to any other individual, even those claiming to be an IT support technician (over the phone or in person).
  • Use computer programs to decode passwords or access-control information.
  • Attempt to circumvent or subvert system or network security measures.
  • Engage in any activity that is intended to harm systems or any information stored thereon, including creating or propagating malware, such as viruses, worms, or “Trojan horse” programs; disrupting services; damaging files; or making unauthorized modifications to LightForce data.
  • Make or use illegal copies of copyrighted software, store such copies on LightForce systems, or transmit them over LightForce networks.
  • Use email, social networking sites or tools, or messaging services in violation of laws or regulations or to harass or intimidate another person, for example, by broadcasting unsolicited messages, by repeatedly sending unwanted mail, or by using someone else’s name or User ID. Waste shared computing or network resources, for example, by intentionally placing a program in an endless loop, printing excessive amounts of paper, or by sending chain letters or unsolicited mass mailings.
  • Use LightForce’ systems or networks for commercial purposes; for example, by selling access to your User ID or by performing work for profit with LightForce resources in a manner not authorized by LightForce.
  • State or imply that they speak on behalf of LightForce or use LightForce trademarks and logos without authorization to do so.
  • Violate any applicable laws and regulations or LightForce policies and procedures that govern the use of IT resources.
  • Transmit commercial or personal advertisements, solicitations, endorsements, or promotions unrelated to the business of LightForce.
  • Use “auto-forward” rules to send business email to a non-LightForce email account.
  • Send or receive high risk and/or confidential information via the Internet without making reasonable accommodations for the security of such information.
  • Modify, without proper authorization, any of LightForce’ information resources and technology, including the work products of others.
  • Store confidential data on local drives, flash drives, or other portable or external media.

Antivirus management

LightForce Orthodontics, Inc. data is hosted and accessed through a secure cloud infrastructure. We do not currently have a device level Antivirus solution implemented.

Backup and disaster recovery

The LightForce Orthodontics, Inc, Disaster Recovery Plan can be found at https://it-security.lightforceortho.com/.

Change management

LightForce Orthodontics, inc. follows a rigorous change control process for all systems, both internal and client facing.

Cryptography usage

LightForce Orthodontics, Inc. held client/patient data is encrypted in Transit and at rest.

Data classification

  • Public data: This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.
  • Internal-only data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc.
  • Restricted and Confidential data: Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include Social Security numbers, cardholder data, M&A documents, and more. Usually, confidential data is protected by laws like HIPAA and the PCI DSS. Restricted data includes data that, if compromised or accessed without authorization, which could lead to criminal charges and massive legal fines or cause irreparable damage to the company. Examples of restricted data might include proprietary information or research and data protected by state and federal regulations.

Data retention

LightForce Orthodontics, Inc. held Personal information will be kept and/or destroyed as required by applicable law, standards, and regulation, as well as LightForce’ Retention Policy.

Email Policies

The LightForce Orthodontics, Inc, Email Security Policy can be found at https://it-security.lightforceortho.com/.

Identity and access management

LightForce IAM solution utilizes SSO implementation to centralize account management and security, as well as to provide group and role based access to resources as required.

Incident response

The LightForce Orthodontics, Inc, Incident Response Policy can be found at https://it-security.lightforceortho.com/.

Insider Threat Protection

TRAINING

  • New employees are given thorough, accurate training on the organization’s policies and HIPAA requirements regarding user and information access.
  • Probing and Penetration testing is automated, as is the assigning of training materials associated with individuals that fail those tests.
  • Additional training is conducted based on insights from regular monitoring and audits.

AWARENESS

  • Employees are aware that user access is consistently monitored and audited for irregularities
  • Employees are aware of the scope of their user access

TECHNOLOGY

  • LightForce Orthodontics, Inc. utilizes software with HIPAA compliant access monitoring
  • LightForce Orthodontics, Inc. utilizes technology that offers real-time updates to prevent breaches
  • LightForce uses role-based access control and least privileged access.

Internet usage restrictions

LightForce monitors and logs all Web Traffic from within all physical locations.

Mobile device policy

LightForce monitors all traffic from mobile devices within all physical locations.

Network security

  • LightForce locations, physical and hosted, are accessible only via approved VPN connections and or multi-factor authentication by approved personnel.
  • LightForce location uses heuristics, pattern recognition, Intrusion Detection and Intrusion prevention solutions to monitor and proactively prevent security breaches.

Password and credential protocols

LightForce Orthodontics, Inc. password policy is as follows:

  • Minimum Length: 8 Characters
  • Complexity Requirements: None
  • Expiration: none

Patch Management

  • LightForce monitors systems for patches and security vulnerabilities, providing regular and as needed patching and maintenance with minimal service interruptions.
  • Redundant systems are used to facilitate limited to no downtime for patching and maintenance.

Physical and environmental security

LightForce Locations require a registered keyfob ID to access doors in a role-based access system. Systems are monitored and audited for access controls and rigorously maintained through changes such as personnel offboarding.

Ransomware detection

LightForce uses IPS/IDS technology to detect and prevent suspicious behavior in real time

System update schedule

  • LightForce has a dynamic and fast-paced development pipe-line and as such, patching and updates are incorporated into that process.
  • Critical systems are constantly monitored for updates and patches are applied on a regular schedule, and as needed.

Wireless network and guest access policy

LightForce maintains multiple wireless networks with varying access to resources and access control policies.

Network Access Policy

  • LightForce monitors all Network traffic and connectivity.
  • Physical Network Segregation is used to isolate hardware and systems that contain transient manufacturing data.
  • Production and stored patient and client data is only accessible via hosted services protected by Multi-Factor authentication and VPN.

Remote Access Policy

  • LightForce controls remote access via multi-factor authentication based VPN.
  • The use of LightForce resources remotely is restricted to approved and required use-cases only.

Outsourcing Policy

LightForce requires contractors and temporary employees to sign non-disclosure agreements and complete all required HIPAA and Privacy training prior to starting work and accessing LightForce systems.

Enforcement

Failure to comply with LightForce IT Policies is monitored and additional training and review is provided as necessary.

User training

New Hires are required to complete training on LightForce Quality Policy and IT Security Fundamentals.